feat: add enhanced security option (-E flag / SECURE env)

Add new option to enable enhanced SMB security: - server signing = mandatory (prevents packet tampering) - client signing = mandatory (ensures client authenticity) - smb encrypt = desired (encrypts traffic when supported) Usage: - CLI: -E flag - Environment: SECURE=true Note: Some older clients may not support these features. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-07 22:27:15 +03:00
parent 8c17a559b9
commit efa529feef
3 changed files with 41 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
  - `max xmit = 65535` — maximum packet size for better throughput
  - `write cache size = 1048576` — 1MB write cache for improved write performance

+- **Enhanced security option** (`-E` flag / `SECURE` env variable)
+  - Enables mandatory server and client signing
+  - Enables SMB encryption (desired mode)
+  - Protects against man-in-the-middle attacks
+
 ### Security

 - **Secure password handling in user() function** (samba.sh)
--- a/README.md
+++ b/README.md
@@ -85,6 +85,7 @@ docker run -it --rm upagge/samba -h
 | `-w "<workgroup>"` | Configure workgroup (domain) |
 | `-W` | Allow wide symbolic links |
 | `-I "<path>"` | Add include at the end of smb.conf |
+| `-E` | Enable enhanced security (signing + encryption) |

 ### Share Parameter Format (-s)

@@ -135,6 +136,7 @@ docker run -it --rm upagge/samba -h
 | `TZ` | Timezone (e.g., `Europe/London`) |
 | `USER` | User configuration (supports USER2, USER3...) |
 | `WIDELINKS` | Allow wide symbolic links |
+| `SECURE` | Enable enhanced security (signing + encryption) |
 | `WORKGROUP` | Workgroup |
 | `USERID` | UID for smbuser |
 | `GROUPID` | GID for smb group |
@@ -313,6 +315,23 @@ docker run -it --network host \
 - Store passwords in `.env` file or Docker secrets
 - Restrict share access to specific users

+### Enhanced Security Mode
+
+For environments requiring additional protection, use the `-E` flag or `SECURE=true` environment variable:
+
+```bash
+docker run -it -p 445:445 -d upagge/samba -E -p \
+    -u "user;password" \
+    -s "secure_share;/data;yes;no;no;user"
+```
+
+This enables:
+- **Server signing** (mandatory) — prevents packet tampering
+- **Client signing** (mandatory) — ensures client authenticity
+- **SMB encryption** (desired) — encrypts traffic when client supports it
+
+**Note**: Some older clients may not support these features. Only enable if all clients are compatible.
+
 ## Feedback

 If you have any problems or questions, please create an [issue on GitHub](https://github.com/upagge/samba/issues).
--- a/samba.sh
+++ b/samba.sh
@@ -275,6 +275,18 @@ widelinks() {
    sed -i 's/\(follow symlinks = yes\)/'"$replace"'/' "$SMB_CONF"
 }

+### secure: enable enhanced security (signing and encryption)
+# Arguments:
+#   none)
+# Return: result
+secure() {
+    sed -i '/\[global\]/a \
+   # Enhanced security settings\
+   server signing = mandatory\
+   client signing = mandatory\
+   smb encrypt = desired' "$SMB_CONF"
+}
+
 ### usage: Help
 # Arguments:
 #   none)
@@ -325,6 +337,8 @@ Options (fields in '[]' are optional, '<>' are required):
    -I          Add an include option at the end of the smb.conf
                required arg: \"<include file path>\"
                <include file path> in the container, e.g. a bind mount
+    -E          Enable enhanced security (signing and encryption)
+                Enables: server signing, client signing, SMB encryption

 The 'command' (if provided and valid) will be run instead of samba
 " >&2
@@ -334,10 +348,11 @@ The 'command' (if provided and valid) will be run instead of samba
 [[ "${USERID:-""}" =~ ^[0-9]+$ ]] && usermod -u $USERID -o smbuser
 [[ "${GROUPID:-""}" =~ ^[0-9]+$ ]] && groupmod -g $GROUPID -o smb

-while getopts ":hc:G:g:i:nprs:Stu:Ww:I:" opt; do
+while getopts ":hc:EG:g:i:nprs:Stu:Ww:I:" opt; do
    case "$opt" in
        h) usage ;;
        c) charmap "$OPTARG" ;;
+        E) secure ;;
        G) parse_args "$OPTARG"; generic "${PARSED_ARGS[@]}" ;;
        g) global "$OPTARG" ;;
        i) import "$OPTARG" ;;
@@ -377,6 +392,7 @@ while read i; do
 done < <(env | awk '/^USER[0-9=_]/ {sub (/^[^=]*=/, "", $0); print}')
 [[ "${WORKGROUP:-""}" ]] && workgroup "$WORKGROUP"
 [[ "${WIDELINKS:-""}" ]] && widelinks
+[[ "${SECURE:-""}" ]] && secure
 [[ "${INCLUDE:-""}" ]] && include "$INCLUDE"
 [[ "${PERMISSIONS:-""}" ]] && perms &